Ticket #633 (closed task: fixed)

Opened 14 years ago

Last modified 13 years ago

[S] Code for verifying cert chains of trust

Reported by: pjkersha Owned by: pjkersha
Priority: blocker Milestone: BETA+Security
Component: security Version:
Keywords: Security, trust, CA, chain of trust Cc:


For digital signature verification the chain of trust needs to be validated in addition to the signature itself.

e.g. getAttCert call to Attribute Authority is signed by proxy private key:

  • verify the signature using the proxy X.509 cert containing the public key
  • verify the signature of the X.509 cert using the user cert that issued the proxy
  • verify the user cert was issued by the CA using the CA's cert.

In the alpha code pyXMLSec did this. For beta M2Crypto is used in its place: investigate M2Crypto and OpenSSL code to do the same function.

Change History

comment:1 Changed 14 years ago by pjkersha

  • Status changed from new to assigned

comment:2 Changed 14 years ago by pjkersha

This is now part completed. wsSecurity.SignatureHandler.verify as well as verifying the actual signature now verifies the X.509 cert used in the signature against a CA cert or list of CA certs.

The verification is done with M2Crypto.X509.X509.verify (see  python-crypto list q.)

However, the problem remains as to how to verify in the case of proxy certificates. For this, the message recipient needs the proxy cert, the user cert that issued the proxy and the CA cert in order to complete the chain of trust. It's still not clear how to pass proxy certs with WS-Security but help from Joshua Boverhoff needs follow up:  http://www-unix.globus.org/mail_archive/python-discuss/2007/02/msg00000.html

comment:3 Changed 14 years ago by lawrence

  • Milestone changed from BETA to BETA+Security

comment:4 Changed 13 years ago by pjkersha

  • Status changed from assigned to closed
  • Resolution set to fixed

Verifying chains of trust with proxy certs and SOAP messages has been solved by using 'X509PKIPathv1' ValueType? for the BinarySecurityToken? element of the WSSE header. This enables the proxy certificate to be passed + the user certificate that issued the proxy. The recipient can then verify the chain back to the CA cert. which it holds in addition.

Note: See TracTickets for help on using tickets.